Limiting the insider threat

By Isaac Kohen

Nov 27, 2017

Thanks to efforts from the Department of Homeland Security’s Computer Emergency Readiness Team, today's cyber intelligence is more robust than ever. Among private-sector security professionals, the CERT team is considered a leading source of information regarding cyber threats and defense strategies. However, despite CERT leading the charge on cybersecurity, many federal agencies are lagging behind when it comes to protecting their assets.

This is not merely a matter of opinion. In September 2017 the Government Accountability Office conducted an in-depth study of federal agencies and found persistent weaknesses in cybersecurity practices. This is despite the security innovations of the last decade.

Agencies' struggles with cybersecurity places the United States at risk. The significant areas of risk GAO found included the following:

Weak access controls. Digital or physical access controls prevent unauthorized access to data or other sensitive resources and include boundary protection, user ID/authentication, authorization, encryption, log audits/monitoring and physical security. According to GAO, 24 federal agencies had glaring weaknesses in these at least one of these areas. and 516 access control weaknesses were identified.

Configuration management. Many agencies did not have processes for developing, documenting and implementing configuration management policies that control of the security features of hardware and software and prevents unauthorized software installations or to install updates and apply patches. Running unsupported systems such as Windows XP gives insiders the opportunity to install their own software onto their computer or on a network, which is what happened in the WannaCry outbreak earlier this year.

Segregation of duties. To ensure that one individual does not control all critical aspects of an operation, agencies use formalized procedures/policies and supervise users. However, without controls in place to monitor activity, then no policy or procedure alone can prevent unauthorized use of data. GAO cited 23 federal agencies with inadequate policies or controls to effectively segregate duties.

Incident response. GAO found agencies also were unable to effectively respond and restore operations in the event of a data breach. For each minute an agency's network is down, the government wastes money and loses valuable information.

Weak security management system. The root cause of many problems for agencies is a lack of a comprehensive security management system. Almost all agencies were missing an in-operation framework for risk assessment and management, which leaves many agencies vulnerable to cyberattacks.

The danger within: Insider threats

Cybersecurity weaknesses, such as those GAO cited, leave agencies vulnerable to threats from malicious or negligent insiders and have long been a subject of concern for agencies. The Snowden incident highlighted just how damaging an insider incident can be. Insiders can be employees, contractors or even privileged working partners who know their way around weak access controls, poorly managed software, or even just basics of how to cover their tracks.

When it comes to defending against insider threats, there are solutions that can improve cybersecurity and help agencies defend their valuable assets. These solutions blend technology and process and work hand in hand with employees to help them do their jobs.

User and entity behavior analysis can log every network and workstation event. Once a baseline pattern of activity is established, a behavior profile is developed and can be used to measure deviations from “normal” behavior. By having behavior profiles of the network and individuals, IT managers can automate insider threat detection.

Technology also can provide a snapshot of an agency and identify which individuals pose the highest risk for negligent or malicious threat behavior. Rules can be developed that track the use of personal email, access to unauthorized websites or even downloading unauthorized software on an agency's network or computers. Rule-base risk analysis allows administrators to act on threats before they compromise of sensitive information.

With modern advances in cybersecurity technology, administrators can monitor nearly anything that happens on the network, including includes video of sessions, keystroke logging and monitoring of email applications and file transfers. Additionally, some cybersecurity software presents the logs in a user-friendly format for non-IT professionals, giving agency officials full visibility into potential inside threats at all times.

The recent developments in cybersecurity technology can help federal agencies address their longstanding cybersecurity weaknesses. By adopting some of the more recent solutions, agencies can defend against cyberattacks and secure their valuable data.